Skip to main content

Laws and Regulations Related to Cybercrime: Worldwide

The majority of enterprises and organizations have shifted to remote work and digital access to services across all industries in the post-pandemic environment we live in today. But as a result, companies are now facing significant risks from data breaches and cyberattacks. The likelihood of a significant data breach is always rising as a result of malevolent hackers' increasingly sophisticated and sophisticated methods for carrying out these cyberattacks, including exploiting infrastructure flaws.

It is now crucial that enterprises comprehend the legal complexities of cybersecurity regulations. Different firms and organizations may develop a mediocre cybersecurity infrastructure that doesn't adhere to federal/international rules due to a lack of understanding of cybersecurity standards. The management of enterprises should be encouraged by this to familiarize themselves with the main cyber security legislation.

Cybersecurity or cybercrime laws are regulations that protect information technology with the intention of requiring businesses and organizations to use a variety of defenses to secure their systems and data against intrusions. The many categories of international cyber law and the laws governing cybercrime worldwide will be briefly discussed here. In this article you will find brief information on the following laws and regulations:

  • Council of Europe's Convention on Cybercrime

  • UN Convention against Transnational Organized Crime

  • Computer Fraud and Abuse Act (US)

  • Electronic Communications Privacy Act (US)

  • Identity Theft and Assumption Deterrence Act (US)

  • General Data Protection Regulation (EU)

  • Federal Information Security Modernization Act (US)

  • Health Insurance Portability and Accountability Act (US)

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Children's Online Privacy Protection Act (COPPA, US)

  • Telecommunications Act (US)

  • Electronic Signatures in Global and National Commerce Act (US)

  • Data Protection Act (UK)

  • Australian Privacy Act

  • Personal Information Protection and Electronic Documents Act (Canada)

  • Cybercrime Prevention Act (Philippines)

  • Information Technology (IT) Act (India)

  • Cybersecurity Law of the People's Republic of China

Cybersecurity Laws and Regulations

Figure 1. Cybersecurity Laws and Regulations

Council of Europe's Convention on Cybercrime

The Budapest Convention on Cybercrime referred to as the Convention on Cybercrime or the Budapest Convention, is the first international treaty that aims to combat Internet and computer crime (cybercrime) by harmonizing national laws, enhancing investigative methods, and fostering international cooperation. It was created by the Council of Europe in Strasbourg, France, with Canada, Japan, the Philippines, South Africa, and the United Nations participating actively as observer states.

The Committee of Ministers of the Council of Europe approved the Convention and its Explanatory Report on November 8, 2001, at its 109th Session. It was made available for signing in Budapest on November 23, 2001, and became effective on July 1, 2004.

Two additional governments (Ireland and South Africa) have signed the treaty but have not yet ratified it. 67 states had ratified the treaty as of October 2022.

Important nations like Brazil and India have refrained from ratifying the Convention since it came into force on the grounds that they were not involved in its preparation. Russia opposes the Convention and has often declined to help in law enforcement investigations into cybercrime, claiming that passage of the Convention would violate Russian sovereignty. It is the first legally binding multinational mechanism to control cybercrime. After a spike in cybercrime in 2018, India has started to reevaluate its position on the Convention, while worries about sharing data with foreign agencies still exist.

The Additional Protocol to the Convention on Cybercrime went into effect on March 1st, 2006. The broadcast of racist and xenophobic content via computer systems, as well as threats and insults motivated by racism or xenophobia, must be illegal in the States that have signed the supplementary protocol.

UN Convention against Transnational Organized Crime

A multilateral convention against transnational organized crime was sponsored by the United Nations in 2000 and is known as the United Nations Convention Against Transnational Organized Crime (UNTOC, often known as the Palermo Convention).

On November 15, 2000, the United Nations General Assembly passed a resolution endorsing the agreement. India acceded on December 12th, 2002.

The 29th of September 2003 saw the Convention enter into force. The conference, according to Palermo Mayor Leoluca Orlando, was the first worldwide gathering to combat terrorism, human trafficking, and transnational organized crime.

The UNTOC tightened its anti-wildlife smuggling regulations in 2014. In order to comply with UNTOC's guidelines against people smuggling, Botswana signed the Anti-Human Trafficking Act of 2014.

Japan faced the problem of not being completely compliant with the UNTOC in 2017, which jeopardized its eligibility to stage the 2020 Summer Olympics and Paralympics as well as the 2019 Rugby World Cup.

Afghanistan first became UNTOC compliant with the introduction of a new criminal code in February 2018.

Computer Fraud and Abuse Act (US)

The United States passed the Computer Fraud and Abuse Act (CFAA) in 1986 as an update to the Comprehensive Crime Control Act of 1984's (18 U.S.C. 1030) provision that addressed computer fraud. It is against the law to access a computer without authorization or with more authorization than necessary. Computer crimes were formerly punished under mail and wire fraud statutes, but the enforcement of the law was sometimes insufficient.

The initial bill from 1984 was passed in response to worries that crimes using computers may go unpunished. The 1983 techno-thriller WarGames was referred to as "a realistic representation of the automatic dialing and access capabilities of the personal computer" in the House Committee Report to the original computer crime bill. In this movie, a young teenager from Seattle (played by Matthew Broderick) breaks into a U.S. military supercomputer programmed to predict potential outcomes of nuclear war and unwittingly nearly starts World War III.

The CFAA was created to expand the scope of current tort law to cover intangible property while, in theory, restricting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature". However, the CFAA's expansive definitions have extended to contract law. The CFAA added additional computer-related offenses to the list of offenses that were made illegal in addition to altering some of the clauses in the original section 1030. Malicious code distribution and denial-of-service assaults were handled by provisions. The CFAA has a clause that makes it illegal to traffic in passwords and related goods, according to Congress.

Several times since then - in 1989, 1994, 1996, and 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act - have seen the Act modified. The kinds of behavior that were included by the law's purview increased with each modification.

In his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal from January 2015, President Barack Obama suggested extending the CFAA and the RICO Act. Moving farther away from what they were trying to accomplish with Aaron's Law, DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren expressed objection to this on the grounds that it would render many common Internet behaviors illegal.

Electronic Communications Privacy Act (US)

The United States Congress passed this law in order to expand the prohibitions on government wiretapping of telephone calls to cover computer-based electronic data communications. The Electronic Communications Privacy Act revised Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (formerly known as the Wiretap Statute), which was primarily meant to forbid unauthorized government access to private electronic communications (ECPA).

The Stored Communications Act and other additional restrictions on access to electronically stored communications were added by the ECPA. The ECPA contains clauses that let phone communications be tracked. The USA Patriot Act (2001), the Communications Assistance to Law Enforcement Act (CALEA) (1994), the USA Patriot Renewal Act (2006), and the FISA Amendments Act all made changes to the ECPA (2008). The statute allows federal agencies to demand more than 180 days old emails.

Identity Theft and Assumption Deterrence Act (US)

Identity theft, which involves the malicious exploitation of another person's identity, is a problem for both victims and law enforcement. The Identity Theft and Assumption Deterrence Act, which was passed in 1998, made identity theft a federal offense in the United States. Since then, other laws have been passed to support judicial repression. These laws include the Identity Theft Enforcement and Restitution Act of 2008 and the Identity Theft Penalty Enhancement Act of 2004. Through the provision of legal resources and severe punishments, these laws work together to minimize the crime of identity theft.

The Identity Theft and Assumption Deterrence Act (ITADA) was introduced in 1997 by Senator Jon Kyl. Federal legislation required a new weapon for action as a result of the growing flood of digital technology making identity theft more accessible than ever.

For the first time in American history, ITADA defines identity theft succinctly. Identity theft is considered to have occurred when the offender: intentionally gives or uses, without authorization, a method of identifying another person with the intent to do or to help or abet, any illegal behavior that is against the law under any relevant State or local law, or that is illegal under Federal law.

Importantly, under ITADA, occurrences of misused personal information outside of approved records can be considered identity theft. In addition to an identifying document, "means of identification" are particularly mentioned in the ITADA definition of identity theft. Prior to 1998, identity theft prosecutions could only be based on proof of stolen papers, which is useless in a world where data can be copied and pasted.

General Data Protection Regulation (EU)

A regulation under EU law on data protection and privacy in the EU and the European Economic Area is known as the General Data Protection Regulation (2016/679, or "GDPR") (EEA). The GDPR is a crucial aspect of EU privacy law and human rights legislation, particularly Article 8(1) of the European Union's Charter of Fundamental Rights. Additionally, it talks about the transfer of personal data outside of the EEA and the EU. The main goals of the GDPR are to make it easier for multinational businesses to operate legally and to provide individuals with more control and rights over their personal data. The regulation, which replaces the Data Protection Directive 95/46/EC, contains provisions and requirements relating to the processing of personal data of people, formally known as "data subjects", who are located in the EEA. It is applicable to any enterprise, regardless of its location or the citizenship or residence of the data subjects, that processes the personal data of people inside the EEA.

The GDPR was approved on April 14, 2016, and it took effect on May 25, 2018. Since the GDPR is a regulation rather than a directive, it is instantly enforceable, and applicable, and provides flexibility for individual member states to alter some provisions of the law.

Many other countries laws have been modeled after this one, including those in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya. Despite no longer being an EU member, the United Kingdom nonetheless upholds the rule as of October 6, 2022. The GDPR and the California Consumer Privacy Act (CCPA), both of which were enacted on June 28, 2018, have many characteristics.

Federal Information Security Modernization Act (US)

On December 18, 2014, President Barack Obama approved the Federal Information Security Modernization Act of 2014 (often known as FISMA Reform). It updated existing rules to allow the federal government to respond to cyber attacks on departments and agencies. The law was passed in response to the rising number of cyber attacks on the federal government.

In 2013, Darrell Issa, the chairman of the House Oversight and Government Reform Committee, and Elijah Cummings, the ranking member of the committee, introduced H.R. 1163, the Federal Information Security Amendments Act. The U.S. House of Representatives voted 416-0 to enact the legislation.

Thomas Carper (D-DE) presented the final version of the bill to the Senate Committee on Homeland Security and Governmental Affairs on June 24, 2014, and it was approved on December 8, 2014, in the Senate, and on December 10, 2014, in the House.

Health Insurance Portability and Accountability Act (US)

The 104th United States Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy-Kassebaum Act), which President Bill Clinton then signed into law on August 21, 1996. It addressed various constraints on healthcare insurance coverage and updated the flow of healthcare information. It specifies how personally identifiable information stored by healthcare and healthcare insurance businesses should be safeguarded against fraud and theft. It typically forbids healthcare professionals and corporations, referred to as covered entities, from exposing protected information without the patient's permission to anybody but them and their authorized representatives. With a few exceptions, it does not prevent patients from learning personal information. Patients are free to share their medical information with family, friends, or other people who are not employees of a covered business without restriction, and confidentiality is not required in these situations.

There are five titles in the act. Title I of HIPAA protects family members' access to health insurance when workers change employers or lose their jobs. The Administrative Simplification (AS) sections of Title II of HIPAA called for the creation of national standards for electronic healthcare transactions and national IDs for providers, health insurance plans, and employers. Title III establishes regulations for pre-tax health savings accounts, Title IV establishes regulations for group health plans, and Title V regulates company-owned life insurance policies.

Payment Card Industry Data Security Standard (PCI DSS)

American Express, Visa, MasterCard, Discover Financial Services, and JCB International created the Payment Card Industry Data Security Standard (PCI DSS) in 2004 as a set of security criteria. The PCI DSS compliance program, which is overseen by the Payment Card Industry Security Standards Council (PCI SSC), strives to protect credit and debit card transactions against fraud and data theft.

Although the PCI SSC lacks the legal right to force compliance, doing so is necessary for every company that handles credit or debit card transactions. Additionally, PCI certification is thought to be the greatest technique to protect sensitive data and information, aiding firms in creating enduring and trustworthy connections with their clients.

Children's Online Privacy Protection Act (COPPA, US)

The Children's Online Protection Act (COPPA), which was approved in 1998 and took effect in 2000, is a federal privacy legislation in the United States. It is often referred to as the Children's Online Privacy Protection Rule. Since then, the Federal Trade Commission (FTC) has altered it several times. It safeguards children's personal information under the age of 13 and mandates that operators of websites and online services acquire parental or guardian agreements before collecting that information. There is currently no federal privacy legislation in the US that applies to both adult and kid citizens.

Organizations that deliberately gather online personal data from children under the age of 13 are subject to the Children's Online Privacy Protection Act. Websites and social media platforms are ecosystems, not silos, hence the legislation is more specific and applies to companies that:

  • intentionally gather personal data on children from visitors to a different website or online service aimed toward kids

  • gather personal data from minors notwithstanding the website or online service is intended for a wider audience

  • run other services on their website, app, or other services (such as an ad network), and are aware that these additional services gather personal data from children under 13

Telecommunications Act (US)

The 104th United States Congress passed the Telecommunications Act of 1996 on January 3, 1996, and President Bill Clinton signed it into law on February 8, 1996. Chapter 5 of Title 47 of the United States Code was largely modified.

The legislation, which amended the Communications Act of 1934, was the first substantial update to American telecommunications law in more than 60 years. It was noteworthy because it was the first time that the Internet was taken into account when broadcasting and allocating spectrum.

The law's declared goal was to "enable anybody to start any communications business" and "let any communications firm compete in any market against any other". The liberalization of the telecommunications and broadcasting markets, which are merging, was the main objective of the law. The law's regulatory practices have come under fire, notably the results of the communications market's dualistic re-regulation.

Electronic Signatures in Global and National Commerce Act (US)

The Electronic Signatures in Global and National Commerce Act, (enacted June 30, 2000, 15 U.S.C. ch. 96) is a federal law of the United States that was passed by the U.S. Congress to encourage the use of electronic records and electronic signatures in interstate and international commerce by ensuring the legitimacy and legal effect of contracts entered into electronically.

Despite the fact that every state has at least one legislation governing electronic signatures, interstate trade is governed by federal law. A contract or signature "may not be denied legal effect, validity, or enforceability just because it is in electronic form", according to the first provision (101.a) of the ESIGN Act. This straightforward claim states that electronic signatures and records are equally valid as their paper counterparts and must thus pass the same legal tests for authenticity as paper documents.

Data Protection Act (UK)

The Data Protection Act of 1998 (DPA, c. 29), an act of the British Parliament, was created to safeguard personal data kept on computers or in a well-organized paper file system. It adopted guidelines for the storage, processing, and transfer of data from the 1995 European Union (EU) Data Protection Directive.

Individuals had legal rights to manage information about themselves under the 1998 DPA. Most of the Act did not apply to residential usage, including maintaining a personal address book. Subject to certain exceptions, anybody who holds personal data for other reasons is required by law to adhere to this Act. To guarantee that information was treated lawfully, the Act established eight data protection principles.

On May 23, 2018, the Data Protection Act of 2018 (DPA 2018) replaced it. The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is supplemented by the DPA 2018. The GDPR imposes far stricter rules on the gathering, holding, and usage of personal data.

Australian Privacy Act

Privacy law in Australia is called the Privacy Act 1988. The Australian Privacy Principles, which are outlined in Section 14 of the Act, are a set of privacy rights (APPs). These guidelines apply to organizations and small enterprises that offer health services, agencies of the Australian Government and the Australian Capital Territory, as well as private organizations with an annual revenue of more than AUD$3 million (with some specific exceptions). The principles dictate when and how these organizations gather personal information. Only data that is pertinent to the tasks performed by the agency are gathered. Australians must have the right to know the purposes behind the gathering of their personal information, as well as who will have access to it. It is the responsibility of those in charge of data storage to prevent data loss and exploitation. Unless expressly forbidden by law, any Australian will likewise have the right to view the information.

Personal Information Protection and Electronic Documents Act (Canada)

A Canadian legislation governing data privacy is known as the Personal Information Protection and Electronic Documents Act (PIPEDA; French: Loi sur la protection des renseignements personnels et les documents electroniques). It sets rules for how businesses in the private sector must gather, use, and disclose personal information. The Act includes a number of measures that make it easier to use electronic documents. On April 13, 2000, PIPEDA became a statute in order to increase consumer confidence in electronic commerce. The measure served as a reassurance to the European Union that Canadian privacy laws were sufficient to safeguard the personal data of EU individuals. Section 29 of the PIPEDA mandates that Parliament examine Part I of the Act ("Protection of Personal Information in the Private Sector") every five years. In 2007, the first Parliamentary review took place.

The 1995 Model Code for the Protection of Personal Information produced by the Canadian Standards Association is included in PIPEDA and made mandatory. However, there are certain exceptions to the Code that allows for the collection, use, and disclosure of information without the individual's consent. Examples include matters of international relations, emergency, and national security. According to the Act, private information may be shared with federal, provincial, or international law enforcement investigations without the individual's knowledge or consent. The basic norm that a person must have access to their personal information is subject to exceptions. Information that would probably expose personal information about a third party, information that is prohibited from disclosure due to legal, security, or commercial proprietary concerns, and information that is protected by the solicitor-client privilege are a few examples of exceptions.

Cybercrime Prevention Act (Philippines)

Known as Republic Act No. 10175, the Cybercrime Prevention Act of 2012 was passed into law in the Philippines on September 12, 2012. It intends to solve legal concerns in the Philippines regarding online interactions and the Internet. The law has provisions for offenses including cybersquatting, cybersex, child pornography, identity theft, unauthorized access to data, and libel.

The legislation has received praise for criminalizing online crimes that were not already covered by existing laws, but it has also drawn criticism for its provision criminalizing libel, which is seen as a restriction on the right to free speech and is known as "cyber authoritarianism". International outrage has been expressed in response to its usage against journalists like Maria Ressa of Rappler.

The Philippine Supreme Court granted a temporary restraining order on October 9, 2012, prohibiting the Act's implementation for 120 days. On February 5, 2013, the court prolonged the ban "pending further instructions from the court.

On February 18, 2014, the Supreme Court affirmed the majority of the law's provisions, including the contentious clause on cyber libel.

Information Technology (IT) Act (India)

The Information Technology Act, of 2000 is an Act of the Indian Parliament that was notified on October 17, 2000. It is often referred to as ITA-2000 or the IT Act. It is India's main statute addressing electronic commerce and cybercrime.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Intermediary Guidelines Rules, 2011, are examples of secondary or subordinate laws to the IT Act.

13 chapters, 4 schedules, and 94 sections made up the original Act. The laws are applicable across India. Other nationalities may be charged under the statute if the offense affects a computer or network in India.

By recognizing digital signatures and electronic records, the Act creates a legal foundation for electronic government. Additionally, it defines cybercrimes and lays out the associated punishments. In order to control the issuing of digital signatures, the Act mandated the creation of a Controller of Certifying Authorities. Additionally, a Cyber Appellate Tribunal was created to settle disagreements arising from this new law. In order to make them compatible with modern technology, the Act revised a number of parts of the Indian Penal Code, of 1860, the Indian Evidence Act, of 1872, the Banker's Book Evidence Act, of 1891, and the Reserve Bank of India Act, of 1934.

Cybersecurity Law of the People's Republic of China

The National People's Congress passed the Cybersecurity Law of the People's Republic of China, also known as the Chinese Cybersecurity Law, with the intention of enhancing data protection, data localization, and cybersecurity ostensibly for reasons of national security. The law was enacted as a part of a larger package of measures the Chinese government approved to enhance national security legislation. The National Security of the People's Republic of China (not to be confused with the National Security Law of Hong Kong), the Law on National Intelligence, the Law on Counterterrorism, the Law on Foreign NGO Management, and other legislation issued in quick succession since 2014 are some examples.